Re: HTTP Application Security (HAS) BoF
Peter Saint-Andre <stpeter@stpeter.im> Thu, 03 June 2010 18:14 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5C2E928C122 for <apps-discuss@core3.amsl.com>; Thu, 3 Jun 2010 11:14:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.696
X-Spam-Level:
X-Spam-Status: No, score=-0.696 tagged_above=-999 required=5 tests=[AWL=-0.697, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8YUjFzs60MvO for <apps-discuss@core3.amsl.com>; Thu, 3 Jun 2010 11:14:33 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 464633A6781 for <apps-discuss@ietf.org>; Thu, 3 Jun 2010 11:14:28 -0700 (PDT)
Received: from dhcp-64-101-72-121.cisco.com (dhcp-64-101-72-121.cisco.com [64.101.72.121]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 1B7ED40E14 for <apps-discuss@ietf.org>; Thu, 3 Jun 2010 12:14:15 -0600 (MDT)
Message-ID: <4C07F0F5.9010708@stpeter.im>
Date: Thu, 03 Jun 2010 12:14:13 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: "apps-discuss@ietf.org" <apps-discuss@ietf.org>
Subject: Re: HTTP Application Security (HAS) BoF
References: <4C0666A1.8070308@stpeter.im>
In-Reply-To: <4C0666A1.8070308@stpeter.im>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms050306030606010508060404"
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jun 2010 18:14:35 -0000
We now have a dedicated list for this BoF: https://www.ietf.org/mailman/listinfo/hasmat Please discuss further on that list. I'll be blasting various lists and individuals regarding the BoF. On 6/2/10 8:11 AM, Peter Saint-Andre wrote: > I've received a proposal to hold a birds of a feather (BoF) session at > IETF 78 in Maastricht on the topic of HTTP Application Security. A > draft charter and agenda can be found below. Please discuss on the > apps-discuss@ietf.org list: > > https://www.ietf.org/mailman/listinfo/apps-discuss > > /psa > > ### > > Charter for HTTP Application Security (HAS) WG > > Problem Statement > > Although modern Web applications are built on top of HTTP, they provide > rich functionality and have requirements beyond the original vision of > static web pages. HTTP, and the applications built on it, have evolved > organically. Over the past few years, we have seen a proliferation of > AJAX-based web applications (AJAX being shorthand for asynchronous > JavaScript and XML), as well as Rich Internet Applications (RIAs), based > on so-called Web 2.0 technologies. These applications bring both > luscious eye-candy and convenient functionality, e.g. social networking, > to their users, making them quite compelling. At the same time, we are > seeing an increase in attacks against these applications and their > underlying technologies. > > The list of attacks is long and includes Cross-Site-Request Forgery > (CSRF)-based attacks, content-sniffing cross-site-scripting (XSS) > attacks, attacks against browsers supporting anti-XSS policies, > clickjacking attacks, malvertising attacks, as well as man-in-the-middle > (MITM) attacks against "secure" (e.g. Transport Layer Security > (TLS/SSL)-based) web sites along with distribution of the tools to carry > out such attacks (e.g. sslstrip). > > Objectives > > With the arrival of new attacks the introduction of new web security > indicators, security techniques, and policy communication mechanisms > have sprinkled throughout the various layers of the Web and HTTP. > > The goal of this working group is to standardize a small number of > selected specifications that have proven to improve security of Internet > Web applications. The requirements guiding the work will be taken from > the Web application and Web security communities. Initial work will be > limited to the following topics: > > - Media type sniffing, as discussed in draft-abarth-mime-sniff > - Same origin policy, as discussed in draft-abarth-origin (expired) > - Strict transport security, as discussed in > draft-hodges-stricttransportsec (to be submitted shortly) > > This working group will work closely with IETF Apps Area WGs (such as > HYBI, HTTPstate, and HTTPbis), as well as W3C WebApps working group(s). > > Deliverables > > 1. A document illustrating the security problems Web applications are > facing and listing design requirements. This document shall be > Informational. > > 2. A selected set of technical specifications documenting deployed > HTTP-based Web security solutions. > These documents shall be Standards Track. > > Goals and Milestones > > Oct 2010 Submit "HTTP Application Security Problem Statement and > Requirements" as initial WG item. > Oct 2010 Submit "Media Type Sniffing" as initial WG item. > Oct 2010 Submit "Web Origin Concept" as initial WG item. > Oct 2010 Submit "Strict Transport Security" as initial WG item. > Feb 2011 Submit "HTTP Application Security Problem Statement and > Requirements" to the IESG for consideration as an > Informational RFC. > Mar 2011 Submit "Media Type Sniffing" to the IESG for consideration > as a Standards Track RFC. > Mar 2011 Submit "Web Origin Concept" to the IESG for consideration as > a Standards Track RFC. > Mar 2011 Submit "Strict Transport Security" to the IESG for > consideration as a Standards Track RFC. > Apr 2011 Possible re-chartering > > ### > > Agenda for HTTP Application Security (HAS) BoF, IETF 78 > > Chairs: Hannes Tschofenig and Jeff Hodges (to be finalized) > > 5 min Agenda bashing (Chairs) > > 10 min Description of the problem space (TBD) > > 20 min Motivation for standardizing (TBD) > draft-abarth-mime-sniff > draft-abarth-origin > draft-hodges-stricttransportsec > > 15 min Presentation of charter text (TBD) > > 60 min Discussion of charter text and choice of the initial > specifications (All) > > 10 min Conclusion (Chairs/ADs) > > ### > >
- HTTP Application Security (HAS) BoF Peter Saint-Andre
- Re: HTTP Application Security (HAS) BoF Peter Saint-Andre